05-03-2023 06:13 AM
Hello colleagues one more time! I would like to discuss or clarify several questions regarding SD-Access over SD-WAN multi site design or sdwan transit as they call it.
The problem is there are little information in details about this integration , only one doc which I found is this https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/Cisco-SD-Access-SD-WAN-Integrated-Domain-Guide.pdf
We will need the pic on the page 14 and the list of limitation on the top of the page 28.
They say:
The following features are not supported on the colocated SD-Access | IOS-XE WAN Edge device:
o Multicast
o IPv6
o Layer 2 Flooding
o Layer 2 Border Handoff
o SD-Access Transit
o MultiSite Remote Border
But they don't explain each line why. So could anyone describe each line like why it isn't supported?
I am mostly worry about the L2 flooding across sites. Lets imagine particular case: we have 3 or 4 SD-access sites on different continents and they are connected by SD-Wan. An employee(who definitely knows that we have a best network because we've spent a lot of $) asked as to arrange L2 channel(or virtual switch) from one site , let it be any C9300 port , to 2 others sites 9300 as well. Let's imagine that we have an industrial machine connected to 9300 on one site and continent and 2 PLC engineers on other sites and continents who desire to have a L2 connection to the machine together at the same time for some specific configuring. And correct me if I am wrong, it's impossible in this case, right? But it's possible if i take a legacy device and any L2 over L3 protocol like L2tpv3 or EoIP(even if it's p2p only) etc. So the question is: is it really unsupported due to MTU vXlan size and because of vxlan packets can't be fragmented and fragmented will be dropped on vteps? And if so how to solve this problem without workarounds? So, my the main concern is - if we use Cisco SD-Wan as transit technology (it's logical I think because public channels are cheaper obviously) between sd-access sites, which limitations will we have and why, line by line please. In my opinion and again correct me if I am wrong , they didn't do enough for products integration, you still need to do manual config for vManage, DNAc, APIC separately and have dashboard for each separately despite that all appliances (NX-OS, Cat9k, Cat8k) are based on OSs which support almost the same features and approaches and I can't understand any tech reasons why they can't merge all products in a single solution...just philosophic, sorry.
Thanks!
05-03-2023 09:47 PM
Hello mikhailov, those features are not supported because there's code limitations. More dev/test work needed. No ETA. Cisco would encourage you to deploy independent domains instead: https://cs.co/independent-domain . Best regards, Jerome
05-04-2023 03:54 AM
thanks mate, appreciate it ! This doc looks almost the same like that I shared, but only for independent domains case. But could you please describe in the nutshell or detailed the frame\packet flow in the case which I asked about before ? I mean when we need to provide L2 vXlan connectivity across sd-access sites via sd-wan and have public channels only. In my thoughts we will have issue with MTU because vxlan packets can't be fragmented, but correct me. Happy to hear that these problems are in a roadmap!
05-04-2023 08:44 PM - edited 05-04-2023 08:45 PM
No problems. A multisite Layer 2 Virtual Network is possible in SD-Access, but as you correctly identified MTU needs to be considered, as inter-site L2 traffic will be sent inside a VXLAN tunnel, and VXLAN cannot be fragmented. Possible options are: 1. tune the endpoint to not send large packets, OR 2. increase WAN MTU, OR 3. if the gateway is inside the SD-Access Fabric configure TCP MSS Adjust on the Fabric Edge Nodes SVI.
Regarding option #3, this requires templates today, and it will be automated by SD-Access later this year. It will not solve large UDP, if that exists.
05-07-2023 05:15 AM
could you please give any advice how to arrange L2 VN in this case, without any extra workarounds or additional hardware?
So if we have sd-access sites and sd-wan as IP core, how can we arrange a L2 connectivity accross sites?
Thanks!
05-07-2023 09:21 PM
Multisite Remote Border with VN Anchoring might be the way to go, please watch all 3 parts of the following video series, https://youtu.be/w5HQ_CrcxuU
05-08-2023 06:13 AM
thanks! I watched, but seems it's about either VRF straching or if you have private channels between sites.But what should we do from the vendor point of view in the case with publich channels ? Again any other sollutions like EoIP will work, but wouldn't like to install any extra. What is the official design guide for this case?
05-09-2023 02:26 PM
just thought maybe OTV can help? We anyway use is-is in underlay, the question is how to connect it correctly
05-30-2023 04:33 AM
are there any ideas, suggestions how this problem can be solved? Let's imagine that we have the task to provide L2 connectivity between more than 2 endpoints across several sites(through the internet) and all tools that we have are SD-Wan and SD-Access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide